diff --git a/package-lock.json b/package-lock.json index cb26bcac..b8d3bc82 100644 --- a/package-lock.json +++ b/package-lock.json @@ -30,6 +30,14 @@ "node": ">=0.10.0" } }, + "node_modules/@aligent/cdk-basic-auth": { + "resolved": "packages/basic-auth", + "link": true + }, + "node_modules/@aligent/cdk-cloudfront-security-headers": { + "resolved": "packages/cloudfront-security-headers", + "link": true + }, "node_modules/@aligent/cdk-rabbitmq": { "resolved": "packages/rabbitmq", "link": true @@ -38,6 +46,10 @@ "resolved": "packages/static-hosting", "link": true }, + "node_modules/@aligent/esbuild": { + "resolved": "packages/esbuild", + "link": true + }, "node_modules/@ampproject/remapping": { "version": "2.2.1", "resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.2.1.tgz", @@ -5783,7 +5795,68 @@ "url": "https://github.com/sponsors/sindresorhus" } }, + "packages/basic-auth": { + "name": "@aligent/cdk-basic-auth", + "version": "2.0.0", + "license": "GPL-3.0-only", + "dependencies": { + "@types/aws-lambda": "^8.10.122", + "aws-cdk-lib": "2.97.0", + "constructs": "^10.0.0", + "esbuild": "^0.17.0", + "source-map-support": "^0.5.21" + }, + "devDependencies": { + "@types/jest": "^29.5.5", + "@types/node": "20.6.3", + "aws-cdk": "2.97.0", + "jest": "^29.7.0", + "ts-jest": "^29.1.1", + "ts-node": "^10.9.1", + "typescript": "~5.2.2" + } + }, + "packages/cloudfront-security-headers": { + "name": "@aligent/cdk-cloudfront-security-headers", + "version": "2.0.0", + "dependencies": { + "@types/aws-lambda": "^8.10.122", + "aws-cdk-lib": "2.97.0", + "constructs": "^10.0.0", + "source-map-support": "^0.5.21" + }, + "devDependencies": { + "@types/jest": "^29.5.5", + "@types/node": "20.6.3", + "aws-cdk": "2.97.0", + "jest": "^29.7.0", + "ts-jest": "^29.1.1", + "ts-node": "^10.9.1", + "typescript": "~5.2.2" + } + }, + "packages/esbuild": { + "name": "@aligent/esbuild", + "version": "2.0.0", + "license": "GPL-3.0-only", + "dependencies": { + "aws-cdk-lib": "2.97.0", + "constructs": "^10.0.0", + "esbuild": "^0.17.0", + "source-map-support": "^0.5.21" + }, + "devDependencies": { + "@types/jest": "^29.5.5", + "@types/node": "20.6.3", + "aws-cdk": "2.97.0", + "jest": "^29.7.0", + "ts-jest": "^29.1.1", + "ts-node": "^10.9.1", + "typescript": "~5.2.2" + } + }, "packages/rabbitmq": { + "name": "@aligent/cdk-rabbitmq", "version": "2.0.0", "license": "GPL-3.0-only", "dependencies": { diff --git a/packages/basic-auth/.gitignore b/packages/basic-auth/.gitignore new file mode 100644 index 00000000..75ecda95 --- /dev/null +++ b/packages/basic-auth/.gitignore @@ -0,0 +1,58 @@ +# These are some examples of commonly ignored file patterns. +# You should customize this list as applicable to your project. +# Learn more about .gitignore: +# https://www.atlassian.com/git/tutorials/saving-changes/gitignore + +# Node artifact files +node_modules/ +dist/ + +# Compiled Java class files +*.class + +# Compiled Python bytecode +*.py[cod] + +# Log files +*.log + +# Package files +*.jar + +# Maven +target/ +dist/ + +# JetBrains IDE +.idea/ + +# Unit test reports +TEST*.xml + +# Generated by MacOS +.DS_Store + +# Generated by Windows +Thumbs.db + +# Applications +*.app +*.exe +*.war + +# Large media files +*.mp4 +*.tiff +*.avi +*.flv +*.mov +*.wmv + +!jest.config.js + +# CDK asset staging directory +.cdk.staging +cdk.out + +*.d.ts +*.js \ No newline at end of file diff --git a/packages/basic-auth/.npmignore b/packages/basic-auth/.npmignore new file mode 100644 index 00000000..1464bb5c --- /dev/null +++ b/packages/basic-auth/.npmignore @@ -0,0 +1,11 @@ +*.ts +!lib/handlers/*.ts +!*.d.ts +!*.js + +# CDK asset staging directory +.cdk.staging +cdk.out + +# Samples +sample/ \ No newline at end of file diff --git a/packages/basic-auth/.npmrc b/packages/basic-auth/.npmrc new file mode 100644 index 00000000..3b9bddfc --- /dev/null +++ b/packages/basic-auth/.npmrc @@ -0,0 +1 @@ +10.1.0 \ No newline at end of file diff --git a/packages/basic-auth/.nvmrc b/packages/basic-auth/.nvmrc new file mode 100644 index 00000000..ef1520fc --- /dev/null +++ b/packages/basic-auth/.nvmrc @@ -0,0 +1 @@ +20.7.0 \ No newline at end of file diff --git a/packages/basic-auth/README.md b/packages/basic-auth/README.md new file mode 100644 index 00000000..c16f668b --- /dev/null +++ b/packages/basic-auth/README.md @@ -0,0 +1,4 @@ +# Basic Auth +This library provides a construct which creates a Lambda@Edge functions to perform basic auth validation. + +These functions are intended to be added to an existing Cloudfront distribution diff --git a/packages/basic-auth/index.ts b/packages/basic-auth/index.ts new file mode 100644 index 00000000..0cf5631f --- /dev/null +++ b/packages/basic-auth/index.ts @@ -0,0 +1,3 @@ +import { BasicAuthFunction } from "./lib/basic-auth-construct"; + +export { BasicAuthFunction }; diff --git a/packages/basic-auth/lib/basic-auth-construct.ts b/packages/basic-auth/lib/basic-auth-construct.ts new file mode 100644 index 00000000..2c954f55 --- /dev/null +++ b/packages/basic-auth/lib/basic-auth-construct.ts @@ -0,0 +1,52 @@ +import { Construct } from "constructs"; +import { EdgeFunction } from "aws-cdk-lib/aws-cloudfront/lib/experimental"; +import { Esbuild } from "@aligent/esbuild"; +import { AssetHashType, DockerImage } from "aws-cdk-lib"; +import { Code, IVersion, Runtime, Version } from "aws-cdk-lib/aws-lambda"; +import { join } from "path"; + +export interface BasicAuthFunctionOptions { + username: string; + password: string; +} + +export class BasicAuthFunction extends Construct { + readonly edgeFunction: EdgeFunction; + + constructor(scope: Construct, id: string, options: BasicAuthFunctionOptions) { + super(scope, id); + + const command = [ + "sh", + "-c", + 'echo "Docker build not supported. Please install esbuild."', + ]; + + this.edgeFunction = new EdgeFunction(this, `${id}-basic-auth-fn`, { + code: Code.fromAsset(join(__dirname, "handlers"), { + assetHashType: AssetHashType.OUTPUT, + bundling: { + command, + image: DockerImage.fromRegistry("busybox"), + local: new Esbuild({ + entryPoints: [join(__dirname, "handlers/basic-auth.ts")], + define: { + "process.env.AUTH_USERNAME": options.username, + "process.env.AUTH_PASSWORD": options.password, + }, + }), + }, + }), + runtime: Runtime.NODEJS_18_X, + handler: "basic-auth.handler", + }); + } + + public getFunctionVersion(): IVersion { + return Version.fromVersionArn( + this, + "basic-auth-function-version", + this.edgeFunction.currentVersion.edgeArn + ); + } +} diff --git a/packages/basic-auth/lib/handlers/basic-auth.ts b/packages/basic-auth/lib/handlers/basic-auth.ts new file mode 100644 index 00000000..262387a0 --- /dev/null +++ b/packages/basic-auth/lib/handlers/basic-auth.ts @@ -0,0 +1,38 @@ +import "source-map-support/register"; +import { + CloudFrontRequestEvent, + CloudFrontResponse, + CloudFrontRequest, +} from "aws-lambda"; + +const AUTH_USERNAME = process.env.AUTH_USERNAME; +const AUTH_PASSWORD = process.env.AUTH_PASSWORD; +const authString = + "Basic " + + Buffer.from(AUTH_USERNAME + ":" + AUTH_PASSWORD, "binary").toString("base64"); + +export const handler = async ( + event: CloudFrontRequestEvent +): Promise => { + const request = event.Records[0].cf.request; + const headers = request.headers; + + // Require Basic authentication + if ( + typeof headers.authorization == "undefined" || + headers.authorization[0].value != authString + ) { + const body = "Unauthorized"; + const response = { + status: "401", + statusDescription: "Unauthorized", + body: body, + headers: { + "www-authenticate": [{ key: "WWW-Authenticate", value: "Basic" }], + }, + }; + return response; + } + + return request; +}; diff --git a/packages/basic-auth/package.json b/packages/basic-auth/package.json new file mode 100644 index 00000000..acfc50da --- /dev/null +++ b/packages/basic-auth/package.json @@ -0,0 +1,35 @@ +{ + "name": "@aligent/cdk-basic-auth", + "version": "2.0.0", + "description": "A Cloudfront Lambda@Edge stack for performing basic auth protection", + "main": "index.js", + "scripts": { + "build": "tsc && cd ./lib/handlers && npm ci", + "prepublish": "tsc && cd ./lib/handlers && npm ci" + }, + "repository": { + "type": "git", + "url": "git+https://github.com/aligent/aws-cdk-prerender-proxy-stack.git" + }, + "license": "GPL-3.0-only", + "bugs": { + "url": "https://github.com/aligent/aws-cdk-prerender-proxy-stack/issues" + }, + "homepage": "https://github.com/aligent/aws-cdk-prerender-proxy-stack#readme", + "devDependencies": { + "@types/jest": "^29.5.5", + "@types/node": "20.6.3", + "aws-cdk": "2.97.0", + "jest": "^29.7.0", + "ts-jest": "^29.1.1", + "ts-node": "^10.9.1", + "typescript": "~5.2.2" + }, + "dependencies": { + "@types/aws-lambda": "^8.10.122", + "aws-cdk-lib": "2.97.0", + "constructs": "^10.0.0", + "esbuild": "^0.17.0", + "source-map-support": "^0.5.21" + } +} diff --git a/packages/basic-auth/tsconfig.json b/packages/basic-auth/tsconfig.json new file mode 100644 index 00000000..4082f16a --- /dev/null +++ b/packages/basic-auth/tsconfig.json @@ -0,0 +1,3 @@ +{ + "extends": "../../tsconfig.json" +} diff --git a/packages/cloudfront-security-headers/.gitignore b/packages/cloudfront-security-headers/.gitignore new file mode 100644 index 00000000..f60797b6 --- /dev/null +++ b/packages/cloudfront-security-headers/.gitignore @@ -0,0 +1,8 @@ +*.js +!jest.config.js +*.d.ts +node_modules + +# CDK asset staging directory +.cdk.staging +cdk.out diff --git a/packages/cloudfront-security-headers/.npmignore b/packages/cloudfront-security-headers/.npmignore new file mode 100644 index 00000000..bfd115ba --- /dev/null +++ b/packages/cloudfront-security-headers/.npmignore @@ -0,0 +1,11 @@ +*.ts +!lib/handlers/*.ts +!*.d.ts +!*.js + +# CDK asset staging directory +.cdk.staging +cdk.out + +# Samples +sample/ diff --git a/packages/cloudfront-security-headers/.npmrc b/packages/cloudfront-security-headers/.npmrc new file mode 100644 index 00000000..3b9bddfc --- /dev/null +++ b/packages/cloudfront-security-headers/.npmrc @@ -0,0 +1 @@ +10.1.0 \ No newline at end of file diff --git a/packages/cloudfront-security-headers/.nvmrc b/packages/cloudfront-security-headers/.nvmrc new file mode 100644 index 00000000..ef1520fc --- /dev/null +++ b/packages/cloudfront-security-headers/.nvmrc @@ -0,0 +1 @@ +20.7.0 \ No newline at end of file diff --git a/packages/cloudfront-security-headers/README.md b/packages/cloudfront-security-headers/README.md new file mode 100644 index 00000000..42a12717 --- /dev/null +++ b/packages/cloudfront-security-headers/README.md @@ -0,0 +1,8 @@ +# AWS CDK CloudFront Security Headers +This package contains a Lambda@Edge function for cloudfront to add security headers to the origin response of all requests. + +## Useful commands + + * `npm run build` compile typescript to js + * `npm run watch` watch for changes and compile + * `npm run test` perform the jest unit tests \ No newline at end of file diff --git a/packages/cloudfront-security-headers/lib/handlers/security-header.ts b/packages/cloudfront-security-headers/lib/handlers/security-header.ts new file mode 100644 index 00000000..009e6f56 --- /dev/null +++ b/packages/cloudfront-security-headers/lib/handlers/security-header.ts @@ -0,0 +1,25 @@ +import { CloudFrontResponse, CloudFrontResponseEvent } from "aws-lambda"; + +export const handler = async ( + event: CloudFrontResponseEvent +): Promise => { + const response = event.Records[0].cf.response; + const headers = response.headers; + + // Add in security headers + headers["strict-transport-security"] = [ + { + key: "Strict-Transport-Security", + value: "max-age=108000; includeSubdomains; preload", + }, + ]; + headers["content-security-policy"] = [ + { key: "Content-Security-Policy", value: __CONTENT_SECURITY_POLICY__ }, + ]; + headers["x-content-type-options"] = [ + { key: "X-Content-Type-Options", value: "nosniff" }, + ]; + headers["x-frame-options"] = [{ key: "X-Frame-Options", value: "DENY" }]; + + return response; +}; diff --git a/packages/cloudfront-security-headers/lib/index.ts b/packages/cloudfront-security-headers/lib/index.ts new file mode 100644 index 00000000..3df24046 --- /dev/null +++ b/packages/cloudfront-security-headers/lib/index.ts @@ -0,0 +1,60 @@ +import { AssetHashType, DockerImage } from "aws-cdk-lib"; +import { EdgeFunction } from "aws-cdk-lib/aws-cloudfront/lib/experimental"; +import { Code, IVersion, Runtime, Version } from "aws-cdk-lib/aws-lambda"; +import { Construct } from "constructs"; +import { join } from "path"; +import { Esbuild } from "@aligent/esbuild"; + +export interface SecurityHeaderFunctionProps { + contentSecurityPolicy?: Array; +} + +export class SecurityHeaderFunction extends Construct { + readonly edgeFunction: EdgeFunction; + + constructor( + scope: Construct, + id: string, + props?: SecurityHeaderFunctionProps + ) { + super(scope, id); + + const defineOptions: any = {}; + + if (props?.contentSecurityPolicy) { + defineOptions.__CONTENT_SECURITY_POLICY__ = JSON.stringify( + props.contentSecurityPolicy.join("; ") + ); + } + + const command = [ + "sh", + "-c", + 'echo "Docker build not supported. Please install esbuild."', + ]; + + this.edgeFunction = new EdgeFunction(this, `${id}-security-header-fn`, { + code: Code.fromAsset(join(__dirname, "handlers"), { + assetHashType: AssetHashType.OUTPUT, + bundling: { + command, + image: DockerImage.fromRegistry("busybox"), + local: new Esbuild({ + entryPoints: [join(__dirname, "handlers/security-header.ts")], + define: defineOptions, + }), + }, + }), + runtime: Runtime.NODEJS_18_X, + handler: "security-header.handler", + }); + } + + public getFunctionVersion(): IVersion { + return Version.fromVersionArn( + this, + "security-header-fn-version", + this.edgeFunction.currentVersion.edgeArn + ); + } +} diff --git a/packages/cloudfront-security-headers/package.json b/packages/cloudfront-security-headers/package.json new file mode 100644 index 00000000..31d24bc7 --- /dev/null +++ b/packages/cloudfront-security-headers/package.json @@ -0,0 +1,28 @@ +{ + "name": "@aligent/cdk-cloudfront-security-headers", + "version": "2.0.0", + "description": "A Cloudfront Lambda@Edge function for adding security headers.", + "main": "lib/index.js", + "types": "lib/index.d.ts", + "scripts": { + "build": "tsc && cd ./lib/handlers && npm ci", + "prepublish": "tsc && cd ./lib/handlers && npm ci", + "watch": "tsc -w", + "test": "jest" + }, + "devDependencies": { + "@types/jest": "^29.5.5", + "@types/node": "20.6.3", + "aws-cdk": "2.97.0", + "jest": "^29.7.0", + "ts-jest": "^29.1.1", + "ts-node": "^10.9.1", + "typescript": "~5.2.2" + }, + "dependencies": { + "@types/aws-lambda": "^8.10.122", + "aws-cdk-lib": "2.97.0", + "constructs": "^10.0.0", + "source-map-support": "^0.5.21" + } +} diff --git a/packages/cloudfront-security-headers/test/cdk-cloudfront-security-headers.test.ts b/packages/cloudfront-security-headers/test/cdk-cloudfront-security-headers.test.ts new file mode 100644 index 00000000..f862c662 --- /dev/null +++ b/packages/cloudfront-security-headers/test/cdk-cloudfront-security-headers.test.ts @@ -0,0 +1,17 @@ +// import { expect as expectCDK, countResources } from "@aws-cdk/assert"; +// import * as cdk from "aws-cdk-lib"; +// import { SecurityHeaderFunction } from "../lib/index"; + +/* + * Example test + */ +// test("Lambda Function Created", () => { +// const app = new cdk.App(); +// const stack = new cdk.Stack(app, "TestStack", { +// env: { region: "us-east-1" }, +// }); +// // WHEN +// new SecurityHeaderFunction(stack, "MyTestConstruct"); +// // THEN +// expectCDK(stack).to(countResources("AWS::Lambda::Function", 1)); +// }); diff --git a/packages/cloudfront-security-headers/tsconfig.json b/packages/cloudfront-security-headers/tsconfig.json new file mode 100644 index 00000000..4082f16a --- /dev/null +++ b/packages/cloudfront-security-headers/tsconfig.json @@ -0,0 +1,3 @@ +{ + "extends": "../../tsconfig.json" +} diff --git a/packages/static-hosting/lib/utils/esbuild.ts b/packages/esbuild/esbuild.ts similarity index 91% rename from packages/static-hosting/lib/utils/esbuild.ts rename to packages/esbuild/esbuild.ts index 3385918f..f372e7d8 100644 --- a/packages/static-hosting/lib/utils/esbuild.ts +++ b/packages/esbuild/esbuild.ts @@ -12,13 +12,13 @@ export class Esbuild implements ILocalBundling { logLevel: "info", sourcemap: false, bundle: true, - minify: false, + minify: true, platform: "node", // Do not minify identifiers, otherwise the exported `handler` function name gets minified failing to start // the lambda minifyIdentifiers: false, - minifyWhitespace: false, - minifySyntax: false, + minifyWhitespace: true, + minifySyntax: true, }); } diff --git a/packages/esbuild/index.ts b/packages/esbuild/index.ts new file mode 100644 index 00000000..d482acd3 --- /dev/null +++ b/packages/esbuild/index.ts @@ -0,0 +1,3 @@ +import { Esbuild } from "./esbuild"; + +export { Esbuild }; diff --git a/packages/esbuild/package.json b/packages/esbuild/package.json new file mode 100644 index 00000000..913393a4 --- /dev/null +++ b/packages/esbuild/package.json @@ -0,0 +1,26 @@ +{ + "name": "@aligent/esbuild", + "version": "2.0.0", + "description": "Esbuild implementation for CDK", + "main": "index.js", + "license": "GPL-3.0-only", + "scripts": { + "build": "tsc", + "prepublish": "tsc" + }, + "devDependencies": { + "@types/jest": "^29.5.5", + "@types/node": "20.6.3", + "aws-cdk": "2.97.0", + "jest": "^29.7.0", + "ts-jest": "^29.1.1", + "ts-node": "^10.9.1", + "typescript": "~5.2.2" + }, + "dependencies": { + "aws-cdk-lib": "2.97.0", + "constructs": "^10.0.0", + "esbuild": "^0.17.0", + "source-map-support": "^0.5.21" + } +} diff --git a/packages/esbuild/tsconfig.json b/packages/esbuild/tsconfig.json new file mode 100644 index 00000000..4082f16a --- /dev/null +++ b/packages/esbuild/tsconfig.json @@ -0,0 +1,3 @@ +{ + "extends": "../../tsconfig.json" +} diff --git a/packages/rabbitmq/index.ts b/packages/rabbitmq/index.ts index 835a9f0c..07ca6ec9 100644 --- a/packages/rabbitmq/index.ts +++ b/packages/rabbitmq/index.ts @@ -1,3 +1,3 @@ import { RabbitMQ } from "./lib/rabbitmq-construct"; -export { RabbitMQ }; \ No newline at end of file +export { RabbitMQ }; diff --git a/packages/static-hosting/.npmrc b/packages/static-hosting/.npmrc index eb1dc6a5..3b9bddfc 100644 --- a/packages/static-hosting/.npmrc +++ b/packages/static-hosting/.npmrc @@ -1 +1 @@ -7.13.0 +10.1.0 \ No newline at end of file diff --git a/packages/static-hosting/.nvmrc b/packages/static-hosting/.nvmrc index fd1bd70b..ef1520fc 100644 --- a/packages/static-hosting/.nvmrc +++ b/packages/static-hosting/.nvmrc @@ -1 +1 @@ -16.2.0 +20.7.0 \ No newline at end of file diff --git a/packages/static-hosting/lib/path-remap.ts b/packages/static-hosting/lib/path-remap.ts index b82a211f..bce4bea1 100644 --- a/packages/static-hosting/lib/path-remap.ts +++ b/packages/static-hosting/lib/path-remap.ts @@ -3,7 +3,7 @@ import { Code, IVersion, Runtime, Version } from "aws-cdk-lib/aws-lambda"; import { Construct } from "constructs"; import { join } from "path"; import * as cf from "aws-cdk-lib/aws-cloudfront"; -import { Esbuild } from "./utils/esbuild"; +import { Esbuild } from "@aligent/esbuild"; export interface RemapOptions { path: string;